System + Organization Controls (SOC) Reports

SOC Reports are designed to build trust and confidence in service delivery processes and controls through a report by an independent certified public accountant.


Adding Value to

Service Organizations and User Entities

Service organizations that provide information system services or process transactions on behalf of another party (the “user entity”) increasingly require SOC reports to do business.

SOC reports were initially requested primarily to satisfy financial statement audit requirements, but are now required to support regulatory compliance, address third party risk management, understand the status of cybersecurity controls and to satisfy stakeholders' demand for transparency.

Service organizations benefit from SOC examination by
+ Alleviating the need for multiple requests for audits;
+ Limiting time spent responding to vendor questionnaires;
+ Building trust and confidence with user entities;
+ Analyzing the efficiency and effectiveness of their control processes, and
+ Differentiating from their peers.


Types of

SOC Reports

The various forms of SOC report are designed to support your specific business goals and user needs.


SOC 1 reports look at internal controls over financial reporting and are restricted-use reports. We offer both SOC 1 Type 1 and Type 2 services.

Type 1– report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.

Type 2 - report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

While generally a restricted report, SOC 2 (both Type 1 and Type 2) evaluate system reliability controls related to compliance or operations.

A SOC 2+ takes into consideration additional subject matter in order to assess SOC 2 compliance and simultaneously compliance with other privacy regulations and standards.

The SOC 3 is a trust service report, and is available for general use, with a public seal. It assesses system reliability controls related to compliance or operations.

The Cybersecurity SOC is also appropriate for general use, and the process involves looking at the entity’s cybersecurity risk management program. Type 1 and 2 are offered.


Trust Services

Principles + Criteria

Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (control criteria), are used to evaluate the controls within an entity's cyber risk management program, or for SOC 2® and SOC 3® engagements.


Security –

The system is protected against unauthorized access


Availability –

The system is available for operation and use as committed or agreed


Process Integrity –

System processing is complete, accurate, timely, and authorized


Confidentiality –

Information designated as confidential is protected as committed or agreed


Privacy –

Personal information obtained as a result of ecommerce is collected, used, disclosed, and retained as committed or agreed


SOC Report

Engagement Process

Our four-phase process for conducting SOC engagements is designed for engagement efficiency and thoroughness but adaptable to your timeline and operations.


In this phase, we confirm scope and objectives. For new clients, we will spend time taking a deeper dive into understanding your systems and operations. For existing clients, we will evaluate any significant changes (e.g., addition of a Trust Services Principal, new system, change in third party service provider, etc.)


Once we have confirmed the scope, we create a more detailed timeline, share our client assistance requirements, and communicate our plan to our client.


Our fieldwork is performed through both interim and period-end testing. With our deep industry knowledge and planning leading up to fieldwork, we limit the impact of our work on your personnel.

Wrap-Up and Reporting

Once our fieldwork has concluded, we prepare the Management Rep Letter, go through our Quality Review process, issue your final report, and hold a closing meeting.


Be Updated of

What’s Happening

Pros and Cons of IoT

October 2020

Pros and Cons of IoT

Understand Internet of Things (IoT) As economies across the world try to determine the new way of life due to the COVID-19 pandemic, the demand of connected devices continues to rise. These devices are also called the Internet of Things […]

Managing Third Party Service Provider Risks

Loss or theft of customer, financial, or employee data, even if not financially material, could cause permanent operational and reputational damage to companies. Companies that collect and maintain significant amounts of sensitive nonpublic information are susceptible to Cybersecurity attacks and […]

Shadow IT: Get The Low Down Before You Download

Defining The Problem: The move to remote work and education as a result of COVID has dramatically increased the use of cloud services for collaboration (e.g. Microsoft Teams, Zoom, Slack) and business services (e.g. Salesforce). Tech-savvy users may have also […]

Securing Your Now-More-Virtual IT Environment

Whether your organization has long been working remotely, or you have transitioned to a virtual office environment as a result of the COVID-19 pandemic, you should evaluate your cybersecurity defenses and strategy to support the new work environment.  Most organizations […]




We proudly add value to our clients by specializing in providing these services to your industry, working with various entities similar in operations, size, or areas of opportunity.


Insurance entities face regulations as well as IT and business risks. In such an environment, independent verification of your operational processes and security procedures is no longer nice to have, but a requirement to do business. The Johnson Lambert team works with insurance entities day-in and day-out, and this experience along with our integrated team of financial/operational and IT auditors’ credentials and training translate to a streamlined approach focused on the right areas for your organization.


If part of your nonprofit’s or related entity’s services or offerings include software as a service, access to sensitive data, a SOC report may benefit your organization in better illustrating the strength of your internal controls. Johnson Lambert has a team of both IT and financial/operational auditors who bring together their skills, credentials, and commitment to continuous learning with extensive experience in the nonprofit space.


We Are Here to Support Your Specific Business Goals and User Needs.

Get started today.